2023-10-28 23:00:05 +00:00
|
|
|
# vim: ft=yaml.ansible
|
2023-10-29 19:46:52 +00:00
|
|
|
# code: language=ansible
|
2023-10-28 23:00:05 +00:00
|
|
|
---
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Move main LAN network to zone 'drop'
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: drop
|
|
|
|
source: 192.168.1.0/24
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
|
|
|
|
|
|
|
- name: Move lab network to zone 'dmz'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: dmz
|
|
|
|
source: 192.168.17.0/24
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
2023-10-28 23:00:05 +00:00
|
|
|
state: enabled
|
2023-11-11 18:11:14 +00:00
|
|
|
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Move internal network to zone 'internal'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: internal
|
2023-11-11 20:09:17 +00:00
|
|
|
source: 10.2.0.0/16
|
2023-11-11 18:11:14 +00:00
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
2023-11-11 20:09:17 +00:00
|
|
|
when: hostname in groups['virtualservers']
|
2023-11-11 18:11:14 +00:00
|
|
|
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Default deny incoming connections to SSH port in zone 'dmz'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: dmz
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
2023-11-11 20:09:17 +00:00
|
|
|
state: disabled
|
|
|
|
|
|
|
|
- name: Default deny incoming connections to SSH port in zone 'internal'
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: internal
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: disabled
|
|
|
|
when: hostname in groups['virtualservers']
|
2023-11-11 18:11:14 +00:00
|
|
|
|
|
|
|
# When sapt-labx-ctl01 is deployed
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Allow incoming connections from jump host to SSH port in zone 'dmz'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: dmz
|
|
|
|
source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
2023-11-11 20:09:17 +00:00
|
|
|
when: false # hostname not in groups['control_infra']
|
|
|
|
|
|
|
|
# Until sapt-labx-ctl01 is deployed
|
|
|
|
- name: Allow incoming connections to SSH port in zone 'drop'
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: drop
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
|
|
|
when: true
|
2023-11-11 18:11:14 +00:00
|
|
|
|
|
|
|
- name: Firewall rules for group 'control_infra'
|
|
|
|
when: hostname in groups['control_infra']
|
|
|
|
block:
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Allow incoming connections to SSH port in zone 'dmz'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: dmz
|
|
|
|
service: ssh
|
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
|
|
|
|
2023-11-11 20:09:17 +00:00
|
|
|
- name: Allow incoming connections to DNS port in zones 'drop' and 'dmz'
|
2023-11-11 18:11:14 +00:00
|
|
|
ansible.posix.firewalld:
|
2023-11-11 20:09:17 +00:00
|
|
|
zone: "{{ item }}"
|
|
|
|
service: dns
|
2023-11-11 18:11:14 +00:00
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
|
|
|
loop:
|
2023-11-11 20:09:17 +00:00
|
|
|
- drop
|
|
|
|
- dmz
|
2023-11-11 18:11:14 +00:00
|
|
|
|
|
|
|
- name: Firewall rules for production and staging
|
|
|
|
loop:
|
|
|
|
- prod
|
|
|
|
- stage
|
|
|
|
loop_control:
|
|
|
|
loop_var: env
|
|
|
|
block:
|
|
|
|
- name: Allow incoming connections from app servers to PostgreSQL
|
|
|
|
ansible.posix.firewalld:
|
|
|
|
zone: internal
|
|
|
|
source: "{{ hostvars[item].internal_ipv4 }}"
|
2023-11-11 20:09:17 +00:00
|
|
|
service: postgresql
|
2023-11-11 18:11:14 +00:00
|
|
|
permanent: true
|
|
|
|
immediate: true
|
|
|
|
state: enabled
|
|
|
|
loop: "{{ groups['app_' + env] }}"
|
|
|
|
when: hostname in groups['db_' + env]
|